Probably a bit late to the party, but I will attempt to share things of interest to me (that are over the 140 character twitter limit) via this space.

Monday, April 6, 2009

UFW Howto in BT4

This is a small howto for UFW the uncomplicated firewall for BT4The majority of this info comes from the man page.There are other tutorials on the net for using this.There is also a gui we will talk about it a bit latter.

First and foremost if you have something to add please do so.ufw is a front end for iptables.So in order for us to start ufw go to the command lineCode:root@bt:~# ufw

So lets look at some of the usage flags.enable/disable are self explanatory.Code:# ufw enable

we get backCode:root@bt:~# ufw enableFirewall started and enabled on system startuproot@bt:~#

Of course we would then have to reboot. When you do it will show up as enabled in the boot sequence. If it checks out you get the [OK].Now lets look at default and ALLOW DENYallow will as it states allow all defaults to take place which right now means that ourfirewall really does nothing. deny will stop all incoming and forwarded packets butit will not stop outgoing packets. So at the minimum this is better than nothing.Here is what it looks likeCode:root@bt:~# ufw default denyDefault policy changed to ‘deny’(be sure to update your rules accordingly)root@bt:~#

The same reminder is given every time. We will look at rules in a bit, first lets look at logging you can either turn it on or off.Code:#ufw logging onlogging enabled

The logs are stored at /var/log/messages or/kern.log and /syslog there is not a seperate log for ufw as of yet.You can gather information from them by using grepCode:#grep ufw /var/log/syslog

Now let’s look at the rules. There are again two options allow/deny rule.So here is where it can get a bit more complicated, complex. This is how we add certain ports and protocols.Code:# ufw allow 80rule updated

So now port 80 http is open. Close it again withCode:# ufw deny 80

Now with just the port it will allow or deny traffic from both tcp and udp.

Now we can specify with the protocol like the following 80/tcpWe can also delete a rule and it will revert to whatever the default policy had at the beginning.More complicated rules can be made as well. For instance we want to blacklist certain IP address we can by supplying theaddress to the rule set.Code:# ufw allow from 192.168.1.100

You can also specify certain protocols with certain IP’s like so:Code:#ufw allow from 192.168.1.1 to any port 22

This will allow 192.168.1.1 to access port 22 on both tcp and udp.If you want to allow only tcp append it to the end of the port 22/tcpYou can also use a netmask. Next let’s look at services. You can set services that can be found inCode:#cat /etc/services

For instance we want to allow telnet then we simply giveCode:# ufw allow telnet

That simple.Probably the best usage flag in ufw is the –dry-run which will not make any real changes but only show what would occur with the new rule in place.

We can also delete a rule and it will revert to whatever the default policy had at the beginning. More complicated rules can be made as well. For instance we want to blacklist certain IP address we can by supplying theaddress to the rule set.Code:# ufw allow from 192.168.1.100

You can also specify certain protocols with certain IP’s like so:Code:#ufw allow from 192.168.1.1 to any port 22

This will allow 192.168.1.1 to access port 22 on both tcp and udp.If you want to allow only tcp append it to the end of the port 22/tcpYou can also use a netmask. Next let’s look at services. You can set services that can be found inCode:#cat /etc/services

For instance we want to allow telnet then we simply giveCode:# ufw allow telnet

That simple.One caveat though is that the service must be installed on the host.Probably the best usage flag in ufw is the –dry-run which will not make any real changes but only show what would occur with the new rule in place.So for exampleCode:#ufw --dry-run deny ssh

If the rule will not work or the syntax is wrong it will spit back an error.Also when adding rules the first match wins according to the man page.So make your specific rules first then the general ones.

There are more to the rules as well as support for applications themselves.

Next thing we can look at is adding the gui interface, if needed.The link is here, this download is a ".deb" package, you can install it usingCode:#dpkg -i gufw_0.0.7c-all.deb

There are more things that can be done and if anyone needs help with it make a post here about it.